In today’s fast-moving business landscape, with reputational sensitivity at an all-time high and brand crisis potentially just a tweet away, the criticality of an effective crisis management plan (CMP) has never been more important to business sustenance and viability. But despite this PR clarion call, new research from global law firm Morrison & Foerster, in partnership with the biz ethics org Ethisphere Institute, reveals that organizational confidence in CMPs appears to be critically low, with nearly two out of three senior executives being only somewhat (56 percent) or minimally confident (10 percent) in their plans.
The firm’s inaugural global Crisis Management Benchmarking Report, which was conducted to help define and advance the standards of ethical business practices, includes the results of a global survey of nearly 250 senior executives in ethics, compliance, legal, communications, and risk functions, from both public and private companies and non-profits across the world.
“Having a well-designed crisis management plan is a critical aspect of being prepared. But too often, as this survey shows, executives lack confidence in their plan and don’t know whether it could be relied upon in an actual crisis,” said John Carlin, chair of Morrison & Foerster’s Global Risk and Crisis Management practice group and co-head of the National Security practice group, in a news release. “That is why it is so important that organizations practice how they would respond to different scenarios and test whether their plan is workable.”
The online survey included questions about crisis management plans, the roles involved in the development of these plans, how companies prepare their teams, and the ways that companies use outside counsel for crisis management and preparedness. Some key findings include:
Cyber breaches continue to be the event most covered by CMPs
- A full 67 percent of companies include breaches in their plans, with workplace violence and harassment followed as a close second, with 57 percent of companies including this event in their plans
- In addition to cyber breaches and workplace violence and harassment, companies are planning for a range of other incidents, including intellectual property theft and litigation, terrorism, events relating to a government investigation, environmental damage, bribery and corruption allegations, and product recalls
Outside counsel are being used for more than just general strategy and planning
- Approximately two out of five companies surveyed also use outside counsel for advance planning with communications firms (41 percent), which is a critically important element of a CMP
“This report gives business leaders insights into current trends involving crisis management response around the world and highlights best practices for crisis planning,” added Carlin.
Interviews with Morrison & Foerster attorneys and senior compliance and ethics professionals helped inform key recommendations covered in the report that will raise organizational confidence in crisis management plans. Examples include:
Companies should prepare across functions and not in silos
The best and most prepared companies have a crisis management team comprised of cross-functional leaders, all of whom must have good working relationships and regular communication.
A CMP should be general, flexible, and adaptable
Your plan should be able to cover incidents of all types, from cyber breach to natural disasters, leadership crisis (for example, the death of a CEO) to a dawn raid by government regulators.
CMPs should be well documented, practiced, quick to implement, and reviewed often
They should also include a plan for implementation if standard system access is not available.
Senior-level stakeholders, including boards of directors, need be involved in the process
They should also should annual reviews of their CMPs.
Organizations should benchmark their plans annually
They should also have formal, documented crisis management teams, and running drills on key risks areas at least annually.
David Newman, Of Counsel in Morrison & Foerster’s National Security and Global Risk & Crisis Management practices, highlighted the importance of ensuring that the response plan reflects input from all relevant components of an organization and is tested with the actual participants who would be called upon to use it through tabletop exercises and other drills: “Don’t prepare in silos. Consider not just preparation within workstreams but true cross-functional planning—part of the purpose of a good tabletop exercise is to give people the experience of working through challenging scenarios and elements of the response. To be able to go fast and also be effective, you have to have practiced.”
The data from this survey was combined with interviews from large, multinational companies with sophisticated legal, ethics, and compliance programs, as well as from Morrison & Foerster’s partners that have practices in various domains of corporate crisis management, in order to identify best practices for plan development, maintenance, and implementation.